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(57) Abstract 

An electronic security system that embeds electronic 
immobilisation protection devices (TPDs) in electronic prod- 
ucts and components. IPDs have controlled access to a se- 
curity service provider (SSP). At power on, and periodically 
thereafter, the IPD sends a cryptographically secure "chal- 
lenge" to the SSP. If a part has not been reported stolen, 
then the SSP replies with a valid cryptographically secure 
"response", otherwise it replies with an invalid "response". 
If the IPD receives an invalid "response", or when a limited 
time has elapsed without a "response", it renders the part in- 
operative. A valid "response", inside the time limit, allows 
the part to function normally. A stolen and recovered prod- 
uct can be identified and traced to its rightful owner, who 
contacts the SSP to re-enable the product. IPDs allow spe- 
cific parts to function normally for a limited period of time, 
so that existing hardware, software and network resources 
can be utilised to communicate to the SSP. 
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Immobilisation Protection System for E lectronic Components 
This invention relates to security for electronic products 
and systems . 

5 

The theft of electronic products (e.g. computer, video and 
hi-fi appliances) and VLSI components (CPUs and SIMMs) has 
become a matter of great concern to both companies and 
'individuals. Currently, most products and components lack 
10 unforgeable serialisation capable of. linking them to their 
registered owner. As a result, criminals have the 
incentive that stolen equipment can be re-sold as new with 
negligible depreciation . 

15 Currently, such crime is deterred by physical security 

systems protecting premises and/or individual equipment.. 
Many of these systems hinder the normal use of such 
equipment and pose no real deterrent to the determined 
criminal . 

20 

The knowledge that the ownerships of products or 
components are quickly traceable is a significant 
deterrent to the criminal. However, even if the equipment 
is traceable, the criminal can re-sell equipment which is 
25 still fully functional. A greater level of deterrent to 
the criminal is the publicised knowledge that, taken away 
from an authorised user, a product or component is 
rendered inoperative. 
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US-A-4 , 759 , 062 discloses a means for immobilising 
micro-processor controlled electronic equipment using a 
"challenge-response" authentication scheme between 
equipment and an authorised service centre. The equipment 
5 sends a challenge that is communicated to the authorised 
service centre which computes a response which is 
communicated back to the equipment. If the equipment 
receives an incorrect response then it renders the 
equipment inoperative. The cryptographic algorithm used 
10 to compute responses in each piece of equipment is 

identical, in such a way that, if the algorithm in one 
piece of equipment is compromised, then all other 
equipments are compromised. 

15 GB-A-2 , 251 , 503 discloses a security system that prevents 
unauthorised parts embedded with electronic protection 
equipment from being used in a car. The • protect ion 
equipment is added to a part in such a way that removal of 
the protection equipment would cause terminal damage to 

20 the protection equipment. This system employs a 

"challenge-response" authentication scheme between a 
controller and its parts (i.e. in the opposite direction 
to the above art) . The controller sends a coded signal to 
the part which processes the signal and provides a 

25 response. If a part answers the challenge incorrectly 

then the controller sends immobilisation commands to that 
part and other parts in the system, in order to render 
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However, components removed from a protected vehicle and 
moved to an unprotected vehicle will function normally and 
5 furthermore lack means of unforgeable identification. 

Therefore according to the present invention there is 
'provided an electronic immobilisation device (IPD) , for 
protecting electronic equipment associated therewith, and 
10 for use with a remote validating means (SSP) , the 
immobilisation device comprising: 

means for generating a challenge code (C n ) ; 

means for providing an identification code (P) 
uniquely identifying the electronic immobilisation device; 
15 output means for outputting said challenge code and 

said identification code to said validating means (SSP) ; 

input means for receiving a response code (R,,) from 
said validating means (SSP); 

checking means for comparing said response code (R^) 
20 with said challenge code and providing a control signal 
indicating whether said comparison is valid; and 

inhibiting means for inhibiting or restricting 
operation of the protected electronic equipment if said 
control signal is not valid. 

25 

Throughout the specification the term equipment refers 
either to a product, module or component . 
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Protected electronic equipment is provided with. an 
embedded electronic immobilization protection device 
(IPD) , such that from power on, the IPD can control the 
useful operation of the equipment. 

5 

The IPDs may be embedded within the equipment at one of 
three levels as: 

(i) an additional component inside a housing or mounted 
on a printed circuit board; 
10 (ii) an additional component bonded to components, 
particularly important, essential 'or high value 
components; or 

(iii) additional logic integrated at mask {or multi-chip 
module) level into essential or high value integrated 
15 circuits. 

Essential components are those without which the product 
of which they form a part cannot function usefully. Level 
(i) provides the lowest level of deterrent because it may 

20 be possible to by-pass the IPDs. Furthermore, there is no 
deterrent against extraction of high values components. 
In level (ii) the IPD is bonded to and encapsulates 
components in such a way that by-pass or removal of the 
IPD causes terminal damage to the protected component. 

25 Level (iii) provides the highest level of deterrent 
because the IPD is truly integral with the protected 
component, making by-pass extremely difficult. 
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The rightful owner of a piece of protected equipment is 
provided with controlled access to a security service 
provider (SSP) . IPDs are programmed by the manufacturer 
or retailer with a unique part number (P) , one or more 
5 cryptographic functions, and cryptographic keys. To 

initiate protection, the rightful owner registers the IPDs 
. with a SSP. The manufacturer or retailer advises the SSP 
of the necessary cryptographic functions and keys, using a 
secure channel. 



When protected equipment is powered on, a communication 
link between the IPDs and the SSP is established. This 
link can involve dedicated functions and communication 
paths within the product. Alternatively, the pre-existing 

15 microprocessor and communication units within the product 
can be programmed to provide the link. Once the link is 
established, each IPD sends its part number P together 
with a random "challenge 1 '. The SSP uses the received part 
number P to retrieve the appropriate cryptographic 

2 0 function (s) and cryptographic key{s) from a database. The 
SSP can then use the challenge, together with the 
retrieved function (s) and key(s) to compute a 
cryptographically secure response. 

25 If the product or component containing an IPD has not been 
reported stolen, then the SSP replies with a valid 
cryptographically secure "response", otherwise it replies 



10 
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with an invalid "response". An invalid "response" could 
be no response at all. If the IPD receives an invalid 
"response", or when a time limit has elapsed without a 
valid "response" , then it renders the protected equipment 
5 inoperative. If the IPD receives a valid "response", 
inside the time limit, then it allows the protected 
equipment to function normally. In either case, if the 
time limit, measured from power on or some other 
appropriate point, has elapsed and the IPD has not 

10 received a valid "response", then it disables the 

protected equipment. The time limit is short enough 
(typically a few minutes) to prevent any useful operation 
of the protected equipment, but sufficient to allow time 
to send and receive the required sequence of challenges 

15 and responses from the SSP. 

The IPD can be used in combination with the SSP to provide 
authorised users with a means to uniquely and unforgeably 
identify protected equipment. The IPD and SSP can provide 
20 this capability in a number of ways. 

One such way, that uses a uni-directional protocol, is to 
provide access to a cryptographically secure checksum 
derived from the combination of the part number P, 
25 cryptographic key information and a randomly generated 

code from the IPD . By validating two or more consecutive 
checksums, the SSP can be sure the IPD part number 
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corresponds to the key information held in the SSP 
database . 

A second way, that uses a bi-directional protocol, carries 
5 out a normal validation process whereby the SSP responds 
correctly to a challenge issued by recovered equipment and 
the user monitors the status of the equipment. If the 
equipment is operational then its part number is genuine. 
If the equipment is immobilised then the user can infer 
10 that the IPD has been tampered with. 

Methods of identification, such as those described above, 
provide unique identification in that the code sequence 
used to perform the identification is unique to each IPD 

15 and, furthermore, is' unforgeable in that replaying 

previous code exchanges between the IPD and SSP will not 
allow positive identification of the protected equipment. 
In the latter realisation, a unique response from all IPDs 
to a given challenge is required. This can be achieved by 

2 0 using a unique cryptographic key for each device or by 
using the unique part number P in the computation and 
verification of the cryptographically secure response. 

By using this unique and unforgeable identification, a 
25 stolen and recovered product containing one or more IPDs 
can be positively identified and traced to its registered 
owner. When returned, the registered owner contacts the 
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SSP in order to authorise the SSP to supply valid 
responses to the protected equipments, after which, the 
protected equipments function as normal. 

5 Some portable equipment maintain continuous power to 
specific components. To ensure such equipment is 
immobilized in the wrong hands, the IPD may be arranged so 
that the "challenge - response" cycle is repeated 
periodically, e.g. every eight hours. The duration of 

0 this interval can be varied to suit organizational or 
operational requirements . 

Some prior art systems- are vulnerable to disclosure of 
their principle of operation. A criminal could either 

5 monitor an authorised user's challenges and responses or 
submit their own challenges to an SSP and monitor the 
response. By doing this a series of challenge-response 
data can be accumulated and the coding system used in the 
SSP/IPD deciphered. Once this is done the criminal can 

0 calculate a valid response to any challenge, for example 
by correctly duplicating the function of the SSP. 

For extra security, use of a unique cryptographic key in 
each IPD protects the concept of the system from 
5 compromise, i.e. if the keys within a single IPD are 
compromised the system as a whole is not compromised. 
Thus even if the operation of the system is known, it is 
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still necessary to find out the unique key for each IPD to 
use the protected equipment. The security of the system 
may be further enhanced by allowing the manufacturers and 
system operators to agree their own algorithms. However, 

5 it is in the interests of the manufactures and operators 
to choose "strong" cryptographic algorithms. The term 
"strong" refers to algorithms that remain secure in the 
event of exposure, i.e. if the algorithm within one IPD is 
exposed then IPDs using the same algorithm are not 

0 compromised. Prefixing the part number P to the 

"challenge" identifies the IPD to the SSP and allows the 
SSP to select the correct algorithms and keys for the IPD 
requesting the "response." Furthermore, the SSP uses the 
part number P to search in a database containing the 

5 status of IPDs, e.g. unregistered, registered, stolen, or 
recovered, to confirm the status of the IPD. 

An SSP can provide its users with several modes of 
connection: (i) circuit or packet access to a central 
0 security server; (ii) packet access to a local security 
server; or (iii) direct access to a plug- in security 
server . 

Mode (i) is a centralized mode whereby the product 
5 connects to a central security server using any available 
means of communication, e.g. an individual can use a modem 
to connect via a PSTN; a company can use its LAN to 
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connect via a WAN gateway. 



Mode (ii) is a distributed mode of operation in which 
local servers connect when necessary to a central security 
5 server. Local security servers contain, at least one IPD 
per server, so that, in the event a server is stolen, 
equipment stolen from the same premises is not 
compromised. There are two types of local security 
server: (i).a slave server that computes "responses"; (ii) 

10 a cache server that requests several "challenges 1 ' in 

advance and stores the "responses" obtained from a central 
server.. If possible, the local server uses volatile 
storage. However, information in non-volatile storage is 
stored, encrypted and decrypted on- the- fly. A single 

15 local server might be contained in a house or small 

business, whereas several might be used in large company 
or organization. Consumer electronics inside a house can 
communicate to a local server using an infra-red network. 
Large office buildings might use a hierarchy of cache 

2 0 servers connected to a slave server. 

In mode (iii) , a product has direct connection to a 
smart-card (or similar device) that computes "responses". 
The smartcard contains the key information necessary to 
25 acknowledge the IPDs within the product it serves. When 
the product is unused, it is the users responsibility to 
remove and store the smartcard safely, in order to prevent 
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the product from operating. The smartcard itself has a 
given lifetime that once exceeded renders the card 
useless. The smartcard can be reactivated by the SSP. If 
a product or component is stolen then the smartcard can be 
5 presented to an insurer as proof of immobilization. 

Users may wish to purchase products and components with 
the IPD security not activated. At some later date, the 
user can enable the IPD security and enter the system by 
10 contacting an SSP. This allows equipment fitted with IPDs 
to be used as normal in systems without connection to and 
authorisation of an SSP . This also avoids the need to 
manufacture two types of device, i.e. with IPD and without 
IPD. 

15 

Once enabled, the IPD security can preferably not be 
disabled. However, SSP users could leave the system by 
obtaining a lifetime smartcard covering the users products 
and components. However, once the user obtains such a 
20 card, the SSP can offer the user no security for these 
products and components* 

The embedded and cryptographically secure natures of IPDs 
is sufficient so that individuals, outside the realms of 
25 approved manufacturers and the SSPs, including the 

rightful owner, are unable to provide a method, or gain 
information, to by-pass or enable IPDs without a valid 
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10 



15 



20 



"response" from an SSP. 

IPDs incorporated into data storage products can provide 
data security in addition to immobilization. For example, 
the control processor on a fixed disk can be programmed, 
from power on, not to transfer data on some or all of the 
disk until a valid "response" is obtained from an SSP. If 
the disk is reported stolen, then data on the disk in the 
specified partitions cannot be read at all, not even for a 
limited time. 

IPDs may be used to provide controlled access to the 
equipments they immobilize. For example, outside working 
hours, the SSP can provide invalid responses to selected 
IPD "challenges", in order to ensure that certain items of 
equipment cannot be used outside pre-determined hours. 

The SSP can store a day-to-day record of the products and 
equipment that send IPD "challenges". The SSP can use 
this record to provide an audit facility to its customers. 
This is especially useful for computer memory modules, 
plug- in cards and peripherals that are moved around in a 
large organization, e.g. the SSP can provide day-to-day 
lists of products containing IPDs that have been moved 
from one machine to another. 

The length of t:ne between "challenge - response" cycles 



BNSDOCID: <WO 9804967A1 _l_> 



WO 98/04967 



PCT/GB97/00241 



- 13 - 

can be lowered in order to provide customers with a usage 
monitoring capability. However, the SSP cannot obtain 
such information when equipment is switched on and is 
unused. 

5 

Furthermore, the use of IPD's can be extended for use in 
all manner of verification purposes. For example, credit 
cards or ID cards could be provided with IPD's using smart 
card technology, such that they do not provide data or 
10 authorisation if they are lost or stolen etc. 

By operating an alternate challenge response mechanism, 
IPDs can be used to grant access to restricted hardware 
and software services. The party providing the service (s) 

15 advises the SSP of what service (s) the said IPD can be 

granted access to. When a service user requests a service 
from a given party, the party operating the service sends 
two challenges: the first to a nominated IPD, within the 
equipment of the service user, and the second, a copy of 

20 the first, prefixed with an identifier for the requested 
service, to the SSP. Both the SSP and the IPD provide the 
party with responses to the challenge. If the user has 
been granted access to the requested service (determined 
by the received identification code) , then the SSP answers 

25 the party's challenge correctly, otherwise, it answers 
incorrectly. Finally, the party compares the responses 
received from the SSP and IPD. If they are identical, 
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then the party grants access to the requested service, 
otherwise, it denies access. In this scheme, the party- 
providing the service has no knowledge (or need to know) 
of the cryptographic algorithms and keys held within the 
5 IPDs and the SSP. 

The present invention will be more clearly understood from 
the following description, given by way of example only, 
with reference to the accompanying drawings in which: 

10 

Figure 1 is a flow diagram that shows the computational 
functions inside an embodiment of an IPD and SSP; 

Figure 2 is a personal computer system incorporating IPDs; 

15 

Figures 3 and 4 show two methods in which a single PC can 
connect Xo an SSP; and 

Figures . 5 ; 6 and 7 show how corporate users with existing 
2 0 networks can connect to an SSP „ 

Referring to figure 1. The IPD "challenge" is a 
non-recurring cryptographically secure random number. To 
achieve the non-recurring property, the IPD contains a 
25 non-volatile state register 40. The IPD loads the 
contents of the state register S n , into a sequence 
generator 41 from which a new unique state, S no is 
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generated, but not immediately used. The output of the 
sequence generator, O n , is fed into a cryptographic encoder 
42. The output, O n is derived from S n and preferably not 
reversibly such that S n is not derivable from O n . This can 
5 be achieved, for example, by only using some of the bits 
of S n to produce O n . The encoder 42 uses a cryptographic 
function or algorithm to code the input O n using a key K 0 
stored inside the IPD. The output C n , from the encoder 42 
is the "challenge". The key K 0 need not be unique amongst 
10 all IPDs. However, if the key K 0 is unique, then each IPD 
produces a unique sequence of cryptographically secure 
random "challenges". This level of refinement makes the 
system more difficult to attack. 

15 To allow an SSP to filter "challenges" from rogue users, 
the IPD incorporates a means for the SSP to validate 
"challenges". To achieve this the IPD must uniquely 
identify itself to the SSP. For example, an attacker, 
wishing to deny SSP service from legitimate users could 

20 flood SSP connections with rogue "challenges" and possibly 
monitor the responses. One such means to prevent this is 
to send an authenticator , A n/ derived from the "challenge", 
C n , using a second encoder 43 with the key, K x , stored in 
the ROM. 

.25 

At the SSP, the received "challenge" is fed into an 
encoder 44 with the key K x , obtained from a lookup database 
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based on the part number P of the IPD. The first encoder 
4 3 and second encoder 44 carry out the same coding 
operation as each other. If the output, VP^, of encoder 44 
and the received authenticator A„ from the IPD are the same 
then the "challenge", C n , is valid. The received 
"challenge" C n is fed into a third encoder 45 utilising the 
key K 2 , obtained from the lookup database using P generated 
by the part number generator 50. The output from the 
third encoder is the cryptographically secure "response", 
R„. Returning to the IPD, C n is fed into a fourth encoder 
46 utilising the key K 2 , stored inside the IPD. The third 
4 5 and fourth 4 6 encoders carry out the same coding 
operation. The output, VR„, of the fourth encoder 46 and 
the received "response" R„ (from the SSP) are compared by a 
comparator 4 9 and if they are equal, then the protected 
product or component is allowed to function and the 
register 40 is loaded with the state S n+1 . If the 
comparison 4 9 fails, then the product or component is 
disabled and the register 40 remains in its original 
state, S n . This means that an unauthorised user is unable 
to monitor the sequence of challenges from the IPD as 
these only change when a valid challenge -response cycle 
occurs . 

The SSP monitors 51 the part number P and checks to ensure 
that the corresponding IPD has not been reported stolen or 
otherwise. If so, an invalid response or no response is 
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output . 



The cryptographic function used in the encoders 42-46 



shown in figure 1 can be block cipher algorithms in which 
5 the key is directly applied. Alternatively, the 

cryptographic function can be a secure hash function in 
which the key is mixed with the input to the function. 
The non-recurring property of the "challenge" is highly 
desirable, but not essential. An alternative is to use a 
10 true random number generator in place of the non-volatile 
state register and sequence generator. 

A personal computer (PC) system incorporating IPDs 71 72 
is shown in figure 2. Internal IPDs are connected via a 

15 simple bus 62 to the IPD interface adaptor 65, integrated 
on the PC motherboard 70. Alternatively, the IPD 
interface adaptor is a plug- in card. External IPDs 72 are 
-connected to external IPD bus 67 and use a buffered 
connection 66 to the IPD interface adaptor 65. 

20 Alternatively, external IPDs can use existing connections 
to the computer, eg. printers can use a parallel or serial 
port and SCSI peripherals can use the SCSI bus. The PC 
has at least one means to access the SSP, eg. a network 
adaptor 73, a smartcard interface (see figure 3) , or a 

25 modem attached to a PSTN (see figure 4) . 

When the PC is turned on, IPDs in system critical 
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components 60 61 are enabled, for a limited period of 
time, allowing the computer to function normally. This 
time is sufficient for the PC to load its operating 
system, establish communication with the SSP, to send 
5 "challenges" and receive "responses 11 . The details of 
procedure are as follows. The PC loads its operating 
system and starts a special process that (i) collects part 
numbers and "challenges" from the components 60 61 63 68 
using the IPD interface adapter 65; (ii) establishes a 

10 connection to the SSP; (iii) sends the part numbers and 
"challenges" to the SSP; (iv) receives- "responses" from 
the SSP; and (v) dispatches "responses" to the appropriate 
IPDs. Any component in the PC system that does not belong 
to its rightful owner receives an invalid "response" from 

15 the SSP. In this case, the IPD will disable the component 
after an additional short delay (to allow the computer 
fail safe) . If all "responses" are valid, then the 
computer continues to function normally and with 
system-critical functions enabled. A key feature is, 

2 0 therefore, that existing hardware (such as 60 61) and 
software (and network 6 9 73) resources within the PC 
system are used to communicate with the SSP. The path 
between the IPD interface, on the PC motherboard, and the 
SSP can be encrypted in order to prevent an eavesdropper 

25 auditing the property of an individual or organization. 

Figure 3 shows a PC 3 0 connected to a smartcard interface 
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31. The user is issued a smartcard 32 by the SSP 34. On 
receipt of the smartcard, the user is able to operate his 
system for a set period (e.g. one year), after which the 
SSP can use manual or electronic means to update the card, 
5 e.g. using a modem (not shown) to establish a 

communication link from the smartcard to the SSP, or by 
returning the card to the SSP for replacement or re- 
validating . 

10 Figure 4 shows a PC 20 that connects to an SSP 23 using a 
modem 21 connected to a public . switched telephone network 
(PSTN) 22. The connection can be to a modem server, 
located in the SSP. Alternatively, the PC can dial-up a 
local Internet provider and communicate to an Internet 

15 connected SSP. 

Figure 5 shows a PC 10 that connects to an SSP 14 via a 
LAN 11, a WAN 13, and a firewall 12. Figure 6 shows a PC 
1 that connects to local security server 6 via a LAN 2. 
20 In turn, the local security server connects to the SSP 5 
via (i) a firewall 3 and WAN 2 and/or (ii) a modem link 
(not shown). The . local security server reduces the WAN 
bandwidth required by a large organization. 

25 Figure 7 shows a system that uses a hierarchy of security 
servers inside a large customer premises 90. The PCs 102 
103, on separate LAN subnets 91, 96, connect to local 
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cache security servers 92 94. The LAN subnets 91 and 96 
are connected to a backbone LAN 97 by the router/firewalls 
93 and 95. The LAN 97 has connected a slave security 
server 98 that has access via a gateway/firewall 99 to a 
5 WAN 100. In normal operation, the cache servers 92 94 

communicate "challenge - response" packets directly to the 
slave security server 98. In the event that the slave 
server fails, or is unable to identify a part number, the 
cache servers can communicate "challenge - response" 
10 packets off site with the SSP 101. 
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CLAIMS 

1. An electronic immobilisation device (IPD) , for 
protecting electronic equipment associated therewith, and 

5 for use with a remote validating means (SSP) , the 
immobilisation device comprising: 

means (40,41,42) for generating a challenge code (C n ) ; 

means (50) for providing an identification code (P) 
uniquely identifying the electronic immobilisation device; 
10 output means for outputting said challenge code and 

said identification code to said validating means (SSP) ; 

input means for receiving a response code <RJ from 
said validating means (SSP) ;. 

checking means (49) for comparing said response code 
15 (RJ with said challenge code and providing a control 

signal indicating whether said comparison is valid; and 

inhibiting means for inhibiting or restricting 
operation of the protected electronic equipment if said 
control signal is not valid. 

20 

2 . A device according to claim 1 further comprising a 
first processing means (43) to produce an authentication 
code (An) from said challenge code, wherein 

said output means outputs said authentication code 
25 (A,,) to said validating means (SSP) . 

3. A device according to claim 2, wherein the first 
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processing means utilises a cryptographic algorithm using 
a first key (K 2 ) . - 



4. A device according to claim 2 or 3 , further 

5 comprising second processing means (4 6) for processing 
said challenge code using a method uniquely corresponding 
to the identification code to produce a check code (VRn) , 
wherein 

said checking means (4 9) compares said check code 
10 (VR,,) with said response code (R„) to provide said control 
signal. 

5. A device according to claim 4, wherein the second 
processing means utilises a cryptographic algorithm using 

15 a second key (K x ) . 

6. A device according to any one of claims 1 to 5 , 
wherein the generating means (40, 41, 42) comprises a 
sequence generator (40, 41) for generating a seed code (O n ) 

2 0 and third processing means (42) for coding the seed code 
(O n ) to provide said challenge code (C n ) . 



7. A device according to claim 6 wherein, the third 
processing means utilises a cryptographic algorithm using 

25 a key (K 0 ) . 

8. A device according to claim 6 or 7, wherein the seed 
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code (0 n ) is derived from a sequence code (S n ) produced by 
the sequence generator (40, '41) and wherein the sequence 
• code is changed each time said checking means (49) 
provides a valid control signal. 

9. A device according to claim 8 wherein the seed code 
(O n ) is irreversibly derived from a sequence code (S n ) . 



10 10. A device according to claim 3 and claim 5 ..wherein 
the first and second processing means use different 
algorithms. 

11. A device according to claim 3 and claim 5 or claim 
15 10, wherein the first key (K 2 ) and the second key (K x ) are 

different . 

12 . A device according to any of the preceding claims 
wherein the electronic immobilisation device (IPD) is 

20 associated with the protected electronic equipment by 

being: electrically connected to, attached to, enclosed 
in or integrated with the protected electronic equipment . 

13. A device according to any one of the preceding claims 
25 wherein the inhibiting means allows at least partial 

operation of the protected electronic equipment for a pre- 
determined time without having received a valid control 
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signal . 



10 



15 



20 



14. A security system incorporating an electronic 
immobilisation device (IPD) according to any one of the 
preceding claims and a validating means (SSP); 

the validating means (SSP) comprising: 

fourth processing means (4 5) for coding the challenge 
code received from the electronic immobilisation device, 
to produce the response code [R^) , and 

means (52) for selectively outputting the response 
code (RJ 

15. A system according to claim 14, when dependent on 
claim 2, the validating means (SSP) further comprising: 

fifth processing means (44) for coding the first 
challenge code (C n ) to produce an authentication validation 
code (VA„) ; 

comparing means for comparing the authentication code 
(At,) from the electronic security device with said 
authentication validation code (VA^ , wherein said 
selective output means (52) does not output the response 
code if the comparison of the authentication code (A^ and 
the authentication validation code (VAJ is not valid. 

16. A system according to claims 14 or 15, wherein the 
validation means further comprises identification code (P) 
validation means (51) wherein said means for selectively 
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outputting the response code (Rn) is inhibited if said part 
number (P) is invalid. 

17. A method of validating an immobilisation device (IPD) 
for protecting electronic equipment comprising in the 
protection device (IPD) : 

generating (4 0, 41, 42) a challenge code (C n ) ; 
outputting to a validating means (SSP) the challenge 
code (C n ) and an identification code (P) uniquely 
identifying the immobilisation device (IPD); 

receiving a response code (R^) from said validating 
means; 

comparing said challenge and response codes; and 
where said comparison is valid, enabling said protected 
electronic equipment . 

18. A method according to claim 17, further comprising 
the steps of; 

coding (43) the challenge code (C n ) to produce an 
20 authentication code (A„) and, outputting the authentication 
code to the validating means (SSP) . 

19. A method of validating an immobilisation device (IPD) 
for protecting electronic equipment comprising the steps 

25 of: 

receiving a challenge code (C n ) from said 
immobilisation device (IPD); 



10 
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coding the challenge code (C n ) to produce a response 
code (RJ ; 

selectively outputting the response code (R^ . 

20. A method according to claim 19 further comprising the 
steps of: 

coding the challenge code (C n ) to produce an 
authentication validation code (VA„) ; 

receiving an authentication code (AJ from said 
immobilisation device; 

comparing said authentication code (AJ and said 
authentication validation code (VA,,) ; 

inhibiting output of said response code (R„) if the 
comparison of said authentication code (Aj and said 
authentication validation code (VAJ is not valid. 

21. An electronic immobilisation device (IPD) , for 
protecting a electronic equipment associated therewith, 
and for use with a remote validating means (SSP) , the 
immobilisation device comprising: 

means (40,41,42) for generating a challenge signal 



said validating means (SSP) ; 

input means for receiving a response signal (R^) from 
said validating means (SSP) ; and 

checking means (49) for comparing said response 



(C n ) ; 



output means for outputting said challenge signal to 
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signal (RJ with said challenge signal and providing a 
control signal; 

means for inhibiting or restricting operation of the 
protected electronic equipment if said control signal is 
5 not valid. 
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